Antony, *Comments inline!*
Thanks, Luis On Fri, Feb 6, 2015 at 3:58 PM, Antony Stone < antony.st...@squid.open.source.it> wrote: > On Friday 06 February 2015 at 22:54:54 (EU time), Luis Miguel Silva wrote: > > > As I started playing around with transparent ssl proxying, I learned that > > Chrome uses an alternate communication (UDP based) protocol called QUIC. > > I'd never heard of QUIC, and http://en.wikipedia.org/wiki/QUIC doesn't > seem to > give much technical information on how it works, however it certainly > confirms > that it's based on UDP. > > > The problem is that, although the rules seem to successfully be > triggered, > > the only way I can successfully BLOCK QUIC traffic and make the browser > > fallback to HTTP/HTTPS is by setting a default FORWARD policy to DROP: > > *iptables -P FORWARD DROP* > > Er, why is that not your standard setup? > > Allow what you know you want, drop the rest - that's standard security > practice. > > If you do set the default forward policy to drop, what problems does this > create? > *This is supposed to be a generic solution, whose main intent is to filter http/https content (not to block "all other traffic").* *If I block all traffic by default, things will stop working, so all I want to block is whatever NEEDS to be blocked :o)* > > > So my question is: *how can I completely block QUIC so I can guarantee my > > traffic will always be redirected to Squid?* > > 1. See above :) > *Unfortunately, not an acceptable solution :o(* > > 2. What UDP traffic do you want to permit, except port 53 to your (quite > possibly local) DNS servers? > *Games, voip, etc...* > > Maybe you're using VoIP, with its associated RTSP traffic, but that's > generally > in the port range 20000-30000 or even higher, and will also be coming from > quite specific devices (telephones), and usually also to quite specific > destinations (SIP proxies). > > Therefore just block all UDP traffic which isn't known to be required. > *I would really rather not. I just want to figure out what ports does QUIC use :o)* *Unfortunately, the more I talk with people, the more I'm finding out that most people don't have any idea what QUIC is (I now I didn't about 3 days ago heheh).* *I might just head on to the Chromium google group and ask there! (I just posted here cause I was sure someone else had experienced the same problem I am experiencing while doing transparent proxying).* *Thanks,* *Luis* > > > Incidentally, as a general comment I would repeat the last sentence above > without the qualifier "UDP" :) > > > Regards, > > > Antony. > > -- > Anyone that's normal doesn't really achieve much. > > - Mark Blair, Australian rocket engineer > > Please reply to the > list; > please *don't* CC > me. > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
